nmap Command Switches

Nmap is a free, open source tool that quickly and efficiently performs ping sweeps, port scanning, service identification, IP address detection, and operating system detection. Nmap has the benefit of scanning a large number of machines in a single session. It's supported by many operating systems, including Unix, Windows, and Linux.

The state of the port as determined by an nmap scan can be open, filtered, or unfiltered. Open means that the target machine accepts incoming request on that port. Filteredmeans a firewall or network filter is screening the port and preventing nmap from discovering whether it's open. Unfiltered mean the port is determined to be closed, and no firewall or filter is interfering with the nmap requests.

Nmap supports several types of scans. Table 1 details some of the common scan methods.

Table 1: Nmap scan types

Nmap scan type

Description

TCP connect

The attacker makes a full TCP connection to the target system. The most reliable scan type but also the most detectable. Open ports reply with a SYN/ACK while closed ports reply with a RST/ACK.

XMAS tree scan

The attacker checks for TCP services by sending XMAS-tree packets, which are named as such because all the "lights" are on, meaning the FIN, URG, and PSHflags are set (the meaning of the flags will be discussed later in this chapter). Closed ports reply with a RST flag.

SYN stealth scan

This is also known as half-open scanning. The hacker sends a SYN packet and receives a SYN-ACK back from the server. It's stealthy because a full TCP connection isn't opened. Open ports reply with a SYN/ACK while closed ports reply with a RST/ACK.

Null scan

This is an advanced scan that may be able to pass through firewalls undetected or modified. Null scan has all flags off or not set. It only works on Unix systems. Closed ports will return a RST flag.

Windows scan

This type of scan is similar to the ACK scan and can also detect open ports.

ACK scan

This type of scan is used to map out firewall rules. ACK scan only works on Unix. The port is considered filtered by firewall rules if an ICMP destination unreachable message is received as a result of the ACK scan.

The nmap command has numerous switches to perform different types of scans. The common command switches are listed in Table 2.

Table 2: Common nmap command switches

nmap command switch

Scan performed

-sT

TCP connect scan

-sS

SYN scan

-sF

FIN scan

-sX

XMAS tree scan

-sN

Null scan

-sP

Ping scan

-sU

UDP scan

-sO

Protocol scan

-sA

ACK scan

-sW

Windows scan

-sR

RPC scan

-sL

List/DNS scan

-sI

Idle scan

-Po

Don't ping

-PT

TCP ping

-PS

SYN ping

-PI

ICMP ping

-PB

TCP and ICMP ping

-PB

ICMP timestamp

-PM

ICMP netmask

-oN

Normal output

-oX

XML output

-oG

Greppable output

-oA

All output

-T Paranoid

Serial scan; 300 sec between scans

-T Sneaky

Serial scan; 15 sec between scans

-T Polite

Serial scan; .4 sec between scans

-T Normal

Parallel scan

-T Aggressive

Parallel scan, 300 sec timeout, and 1.25 sec/probe

-T Insane

Parallel scan, 75 sec timeout, and .3 sec/probe

To perform an nmap scan, at the Windows command prompt type Nmap IPaddress followed by any command switches used to perform specific type of scans. For example, to scan the host with the IP address 192.168.0.1 using a TCP connect scan type, enter this command:

Nmap 192.168.0.1 -sT

Make sure you're familiar with the different types of nmap scans, the syntax to run nmap, and how to analyze nmap results. The syntax and switches used by the nmap command will be tested on the CEH exam.